Netwrix and Stealthbits merge to better secure sensitive data. LEARN MORE

Forged PAC

How to detect, mitigate and respond to Forged PAC attacks

Forged PAC is a privilege escalation method that allows an attacker to be able to forge the Privilege Account Certificate (PAC) in a Kerberos ticket to gain access to resources they didn’t previously have before.

    Request A Free Trial

    Thank You For Your Request

    A Stealthbits representative will contact you shortly.

    If you have any questions, you can contact our sales department by sending an inquiry to sales@stealthbits.com.


    Stealthbits’ Forged PAC Solution

    Stealthbits’ products provide a multitude of ways to detect, mitigate, and respond to a Forged PAC attack.

    Detect Forged PAC Attack

    Detection is possible using the Golden Ticket approach with Forged PAC information in the Kerberos TGT.

    APPROACH #1

    Kerberos TGT Contains Specific Groups

    DESCRIPTION

    Monitor for specific RID’s appearing in Kerberos PAC data that shouldn’t be there. By default, this only monitors the following groups:

    • Domain Admins (512)
    • Enterprise Admins (519)
    • Schema Admins (518)

    PRODUCT: StealthINTERCEPT

    APPROACH #2

    Kerberos TGT Containing Groups of which the Account is not a Member

    DESCRIPTION

    Monitors group membership for accounts, as well as considers the Kerberos Ticket Lifetime, which drastically reduces false positives while allowing detection of all Forged PAC data.

    This threat can be modified to only look at specific groups or all groups depending on customer requirements.

    PRODUCT: StealthDEFEND

    Mitigate Forged PAC Attack

    APPROACH #1

    Reduce Domain Administrative Rights

    DESCRIPTION

    Review membership of privileged domain groups (e.g. Domain Admins, Enterprise Admins, Server Operators) and remove unnecessary members. These groups provide rights to access domain controllers.

    PRODUCT: StealthAUDIT

    APPROACH #2

    DC Logon Groups

    DESCRIPTION

    Perform reviews of all domain groups which provide logon rights to domain controllers (e.g. Domain Admins, Server Operators) as the members of these groups can gain access to the Ntds.dit file which resides on the file system of the domain controller. Perform regular reviews and remove unnecessary members.

    PRODUCT: StealthAUDIT

    APPROACH #3

    Secure Active Directory Permissions

    DESCRIPTION

    Review the following Active Directory permission applied at the domain level:

    • Replicating Directory Changes
    • Replicating Directory Changes All

    These rights provide attackers the ability to obtain the KRBTGT hash using the DCSync technique. Remove any unnecessary permissions.

    PRODUCT: StealthAUDIT Active Directory Permissions Analyzer

    APPROACH #4

    Service Ticket Request with Weak Encryption

    DESCRIPTION

    Monitor for Kerberos ticket requests using weak encryption (RC4_HMAC_MD5). These tickets are obtained when requesting Kerberos tickets for a particular service principal name (SPN), and are returned encrypted with the password of the service account tied to that SPN.

    PRODUCT: StealthDEFEND / StealthINTERCEPT

    DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

    Respond to Forged PAC Attack

    APPROACH #1

    Purge Kerberos Tickets on Source and Target Machine

    DESCRIPTION

    Due to the ability of Forged Kerberos Tickets being able to have random usernames and passwords, it is not advisable to disable user accounts. To instead get rid of their access, a Kerberos Ticket Purge on both the source and the target machine should be done in case the target was compromised.

    PRODUCT: StealthDEFEND

    APPROACH #2

    Disable Source Computer

    DESCRIPTION

    Disable the source computer that the Forged PAC originated from so it cannot authenticate more accounts and should be distrusted from the Domain/Forest.

    PRODUCT: StealthDEFEND

    APPROACH #3

    Disable All Accounts which Authenticated to Source Computer in the Last X Hours

    DESCRIPTION

    Customers may choose to look at all authentications against the source machine for the last X hours, where X is the Kerberos Ticket Lifetime, and then disable all the accounts which have authenticated to it until the investigation of the Forged PAC has been resolved.

    PRODUCT: StealthDEFEND

    Seeing is believing.

    © 2021 Stealthbits Technologies, Inc.